The exposed information includes the WiFi network name, BSSID, local IP addresses, DNS server information, and the MAC address. Normally, extra permissions are required to access such details, but Wi-Fi broadcasts allow all applications to capture the information, thus bypassing existing mitigations.

Furthermore, Nightwatch Cybersecurity’s researchers argue that the MAC address, which is tied to the hardware, can be used to “uniquely identify and track any Android device.” Information such as network name and BSSID allow for the geolocation of users, while other information can be leveraged for other attacks.

Tracked as CVE-2018-9489, the vulnerability was addressed in the recently released Android 9, but previous platform iterations continue to be impacted, ths security firm says. Thus, all devices running under those OS versions, including forks such as Amazon’s FireOS for the Kindle, are believed to be vulnerable.

The issue, the security researchers say, is that application developers neglect to implement restrictions or mask sensitive data when it comes to the use of “Intents” in their applications. These Intents are system-wide messages that both apps and the OS can send, and which other applications can listen to.

The Android platform, the security researchers explain, regularly broadcasts information about the WiFi connection and the WiFi network interface and uses WifiManager’s NETWORK_STATE_CHANGED_ACTION and WifiP2pManager’s WIFI_P2P_THIS_DEVICE_CHANGED_ACTION Intents for that.

“This information includes the MAC address of the device, the BSSID and network name of the WiFi access point, and various networking information such as the local IP range, gateway IP and DNS server addresses. This information is available to all applications running on the user’s device,” the researchers note.

Applications looking to access the information via the WifiManager would normally require the “ACCESS_WIFI_STATE” permission in the application manifest. Apps looking to access geolocation via WiFi require the “ACCESS_FINE_LOCATION” or “ACCESS_COARSE_LOCATION” permissions.

Applications listening for system broadcasts, however, don’t need these permissions and can capture the details without user’s knowledge. They can even capture the real MAC address, although it is no longer available via APIs on Android 6 or higher.

“We performed testing using a test farm of mobile device ranging across multiple types of hardware and Android versions. All devices and versions of Android tested confirmed this behavior, although some devices do not display the real MAC address in the “NETWORK_STATE_CHANGED_ACTION” intent but they still do within the “WIFI_P2P_THIS_DEVICE_CHANGED_ACTION” intent,” the researchers said.

Given that Google addressed the issue in Android 9 only, users are encouraged to upgrade to this platform iteration to ensure they remain protected.